Skip to content

fix(deps): vuln minor: com.fasterxml.jackson.core:jackson-databind · patch: com.cronutils:cron-utils [pkg/dependency]#33

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/maven/dependency/2-1776941448
Open

fix(deps): vuln minor: com.fasterxml.jackson.core:jackson-databind · patch: com.cronutils:cron-utils [pkg/dependency]#33
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/maven/dependency/2-1776941448

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Critical-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

  • pkg/dependency (maven)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
com.cronutils:cron-utils 9.1.2 9.1.8 patch Direct 4 CRITICAL
com.fasterxml.jackson.core:jackson-databind 2.9.10.6 2.21.2 minor Direct 38 HIGH

Security Details

🚨 Critical & High Severity (42 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
com.cronutils:cron-utils GHSA-pfj3-56hm-jwq5 CRITICAL Template injection in cron-utils 9.1.2 9.1.3
com.cronutils:cron-utils CVE-2021-41269 CRITICAL - 9.1.2 -
com.cronutils:cron-utils GHSA-p9m8-27x8-rg87 CRITICAL Critical vulnerability found in cron-utils 9.1.2 9.1.6
com.cronutils:cron-utils CVE-2020-26238 CRITICAL - 9.1.2 -
com.fasterxml.jackson.core:jackson-databind GHSA-57j2-w4cx-62h2 HIGH Deeply nested json in jackson-databind 2.9.10.6 2.13.2.1
com.fasterxml.jackson.core:jackson-databind CVE-2020-36182 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-vfqx-33qm-g869 HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36189 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-jjjh-jjxp-wpff HIGH Uncontrolled Resource Consumption in Jackson-databind 2.9.10.6 2.12.7.1
com.fasterxml.jackson.core:jackson-databind CVE-2022-42003 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-5r5r-6hpj-8gg9 HIGH Serialization gadget exploit in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-35728 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-cvm9-fjm9-3572 HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind GHSA-f9xh-2qgp-cq57 HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind GHSA-r3gr-cxrf-hg25 HIGH Serialization gadgets exploit in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-35491 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-r695-7vr9-jgc2 HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36187 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-9m6f-7xcq-8vf8 HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36183 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-m6x4-97wx-4q27 HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36518 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind CVE-2021-20190 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-89qr-369f-5m5x HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36181 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind CVE-2020-36188 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-v585-23hc-c647 HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36186 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-rgv9-q543-rqg4 HIGH Uncontrolled Resource Consumption in FasterXML jackson-databind 2.9.10.6 2.12.7.1
com.fasterxml.jackson.core:jackson-databind CVE-2022-42004 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-wh8g-3j2c-rqj5 HIGH Serialization gadgets exploit in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-35490 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-288c-cq4h-88gq HIGH XML External Entity (XXE) Injection in Jackson Databind 2.9.10.6 2.6.7.4
com.fasterxml.jackson.core:jackson-databind CVE-2020-25649 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-8c4j-34r4-xr8g HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36180 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-8w26-6f25-cm9x HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36185 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-5949-rw7g-wx7w HIGH Deserialization of untrusted data in jackson-databind 2.9.10.6 2.9.10.7
com.fasterxml.jackson.core:jackson-databind CVE-2020-36179 HIGH - 2.9.10.6 -
com.fasterxml.jackson.core:jackson-databind GHSA-9gph-22xh-8x98 HIGH Unsafe Deserialization in jackson-databind 2.9.10.6 2.9.10.8
com.fasterxml.jackson.core:jackson-databind CVE-2020-36184 HIGH - 2.9.10.6 -
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
com.cronutils:cron-utils 9.1.2 Nov 14, 2025 9.1.8 pkg/dependency/parser/java/jar/testdata/testimage/maven/pom.xml
com.fasterxml.jackson.core:jackson-databind 2.9.10.6 - 2.21.2 pkg/dependency/parser/java/jar/testdata/testimage/maven/pom.xml

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review April 23, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-high-severity adms-java adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants